大家注意下,凡是直接执行sql的,都要用参数传入, 而不是字符串替换,防止sql注入问题。****
sql_str = """SELECT id FROM schedule WHERE schedule_id in
(SELECT id FROM working_schedule WHERE path_id in
(SELECT working_schedule.path_id FROM schedule left JOIN working_schedule
ON
schedule.schedule_id=working_schedule.id WHERE schedule.id=%s AND schedule.company_id=%s))
and time=%s and date>=%s and date<=%s""" % (
schedule_id, company_id, ‘"‘ + schedule_time + ‘"‘, ‘"‘ + start_date_time + ‘"‘, ‘"‘ + end_date_time + ‘"‘)